Feeds

Will bloggers get the blame for DoH mess?

Criminal charges for who?

Providing a secure and efficient Helpdesk

Opinion Health Secretary Patricia Hewitt said the mess made of online applications for doctors could lead to criminal charges. But did she mean the people responsible for such a shoddy system or did she mean the bloggers who brought the problems to light are likely to be charged?

A touch surprising to find the Secretary of State for Health, Patricia Hewitt, stating the truth in a written ministerial statement to the Commons on Tuesday:

"Because the investigation has made it clear that criminal offences may have been committed, the MWR analysis and report have been given to the police."

That "may" is a little mild, as it is quite clear that criminal offences have been committed during the wonderful little saga of the medical training application service (MTAS) and its computer system. Over and above the usual political porkies that is, such as this line from the statement:

"There had been two security breaches of the medical training application service (MTAS) that arose on 25 and 26 April."

There was no security breach that arose on 26 April. There was one that was revealed on that date, yes, but the breach went back to the beginnings of the system and was inherent in the design.

The breach itself was one that would ashame the most neophyte of script kiddies. There was no attempt to create a login session when someone entered the system, nor was there any checking of the IP of the machine being used to prevent session hijacking.

As David Gillies has pointed out: "There is NO WAY that this was anything other than gross incompetence. It is inconceivable that MTAS had a working login session mechanism that was then replaced by the brain-dead version it had when the security breaches came to light."

He then goes on to say that this is a level of stupidity likely actionable under the Data Protection Act. "Implementers of systems containing personal information have a statutory duty, I believe, to ensure only authorised persons have access to that data."

So there's our first criminal offence, among those who planned, built, and implemented this system.

Then there are those who brought the problem to light, such as the NHSBlogDoctor. Distressed at being informed of such a gaping loophole in the system he went to have a look for himself. This is a criminal offence - hacking a computer system. Unable to believe what he saw, he asked a few trusties to have a look themselves - another offence, incitement to hack a computer system.

Having committed these offences, what did the Good Doctor do then? He informed the Department of Health and the system was taken down within a few minutes, thus preventing said department from continuing in their own breach of the law.

Only the excessively cynical would believe that Ms Hewitt was referring only to the second set of breaches, rather than the first, or that the police will concentrate on the whistleblower(s) rather than the original problem.

The realists among us though, will note that there is still something of a problem. When alerted to a possible breach of the law by the authorities, it would seem that investigating such breach is in itself a criminal offence. That's certainly the way to bring about some accountability to the system don't you think? A way of preventing the more obvious lunacies, of improving the system?

But, of course, this is paranoia. No one is going to interpret the law that way, are they? In a world where adding ../../../ to a URL is worth £400 plus costs and the loss of your job and career. No, of course not, it's just paranoia. ®

Tim Worstall is a freelance and blogs at www.timworstall.com.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.